On 02/06/2014 09:30 AM, S. Dale Morrey wrote:
> Well oddly enough today I had a server hacked. There was a priviledge
> escalation flaw in the only exposed daemon (probably a 0 day of somesort
> I've reported it to the devs).
Indeed we are only as secure as the weakest link in the chain. What
daemon was hacked?
> Someone managed to get root, remove the cert, set a password and login via
> ssh and then set the box up as a spam relay of all things.
> I think from now on, I'm going to see if there is a way to just completely
> remove the root user. (Box is fully patched and auto-updates and applies
> patches daily).
Think you're barking up the wrong tree. Disabling root as a login user
would not help you not get hacked in this instance. In your case the
problem is that the service either was running as root (which your
disabling of root login will not change), or had a privilege escalation
path available to it. So you need to a) not run the service as root and
b) make sure selinux or similar system is locking down the process. to
restrict what it can do, even if it does get hacked.
> I would like to setup a central auth server (probably LDAP) that auths me
> as an individual to these servers. Then remove root completely. Is that
> even possible?
> I guess in reality it would be no different than just renaming root to a
> different name, but frankly cleaning up the damage from this script kiddy
> is annoying me.
Again, it wouldn't have helped you.
>> Having an auth server be authoritative for a box, and then have permissions
> and groups set by the box seems like a decent solution, but then I ask
> myself, what happens when the authbox gets cracked?